Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8601	CVE-2025-0541	0.13%	32th	6.3	CVE-2025-0541 is a critical SQL injection vulnerability in Codezips Gym Management System 1.0 that a
8602	CVE-2025-0535	0.13%	32th	6.3	This critical SQL injection vulnerability in Codezips Gym Management System 1.0 allows remote attack
8603	CVE-2025-0533	0.13%	32.1th	7.3	This critical SQL injection vulnerability in the 1000 Projects Campaign Management System Platform f
8604	CVE-2025-0532	0.13%	32th	6.3	CVE-2025-0532 is a critical SQL injection vulnerability in Codezips Gym Management System 1.0 that a
8605	CVE-2025-21372	0.13%	32.1th	7.8	This vulnerability in Microsoft Brokering File System allows attackers to escalate privileges on aff
8606	CVE-2025-21315	0.13%	32.1th	7.8	This is an elevation of privilege vulnerability in Microsoft's Brokering File System component. It a
8607	CVE-2025-22540	0.13%	32th	9.3	This SQL injection vulnerability in the Emailing Subscription WordPress plugin allows attackers to e
8608	CVE-2024-56280	0.13%	32th	8.8	This vulnerability allows attackers to escalate privileges in WPGuppy WordPress plugins, potentially
8609	CVE-2024-49644	0.13%	32th	8.8	This vulnerability allows attackers to escalate privileges in the AllAccessible WordPress plugin, po
8610	CVE-2024-12368	0.13%	32.1th	8.1	An improper access control vulnerability in Odoo's auth_oauth module allows internal users to export
8611	CVE-2025-26974	0.13%	32th	9.3	This SQL injection vulnerability in WPExperts.io WP Multi Store Locator plugin allows attackers to e
8612	CVE-2025-26943	0.13%	32th	9.3	This SQL injection vulnerability in the Easy Quotes WordPress plugin allows attackers to execute arb
8613	CVE-2024-51505	0.13%	32th	8.0	A race condition vulnerability in Atos Eviden IDRA allows Config Admin users to escalate privileges
8614	CVE-2025-22290	0.13%	32th	9.3	This SQL injection vulnerability in the LTL Freight Quotes – FreightQuote Edition WordPress plugin
8615	CVE-2025-1183	0.13%	32th	6.3	This critical SQL injection vulnerability in CodeZips Gym Management System 1.0 allows attackers to
8616	CVE-2025-24213	0.13%	32th	7.8	A type confusion vulnerability in Apple's WebKit browser engine could allow memory corruption when p
8617	CVE-2025-24852	0.13%	32th	4.6	This vulnerability in CHOCO TEI WATCHER mini cameras allows attackers who gain physical access to th
8618	CVE-2024-12720	0.13%	32.1th	7.5	A Regular Expression Denial of Service (ReDoS) vulnerability exists in the huggingface/transformers
8619	CVE-2024-10834	0.13%	32.1th	9.1	This vulnerability in eosphoros-ai/db-gpt version 0.6.0 allows attackers to write arbitrary files to
8620	CVE-2025-2391	0.13%	32.1th	7.3	A critical SQL injection vulnerability in Blood Bank Management System 1.0 allows attackers to execu
8621	CVE-2025-2383	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul Doctor Appointment Management System 1.0 all
8622	CVE-2025-2382	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul Online Banquet Booking System 1.0 allows att
8623	CVE-2025-2381	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul Curfew e-Pass Management System 1.0 allows r
8624	CVE-2025-2380	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0 all
8625	CVE-2025-2372	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management Sys
8626	CVE-2025-26875	0.13%	32th	9.3	This SQL injection vulnerability in the 'Multiple Shipping And Billing Address For Woocommerce' Word
8627	CVE-2025-2217	0.13%	32th	6.3	This critical SQL injection vulnerability in zzskzy Warehouse Refinement Management System 1.3 allow
8628	CVE-2025-2132	0.13%	32th	4.7	This critical SQL injection vulnerability in ftcms 2.1 allows remote attackers to execute arbitrary
8629	CVE-2025-2112	0.13%	32th	6.3	This is a critical SQL injection vulnerability in the user-xiangpeng yaoqishan software that allows
8630	CVE-2024-53692	0.13%	32.1th	4.7	A command injection vulnerability in QNAP operating systems allows remote attackers with administrat
8631	CVE-2025-2060	0.13%	32.1th	7.3	A critical SQL injection vulnerability exists in PHPGurukul Emergency Ambulance Hiring Portal 1.0, s
8632	CVE-2025-2050	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul User Registration & Login and User Managemen
8633	CVE-2025-1958	0.13%	32th	6.3	This critical SQL injection vulnerability in aaluoxiang oa_system 1.0 allows remote attackers to exe
8634	CVE-2025-1956	0.13%	32.1th	7.3	A critical SQL injection vulnerability in code-projects Shopping Portal 1.0 allows remote attackers
8635	CVE-2025-1952	0.13%	32.1th	7.3	This critical SQL injection vulnerability in PHPGurukul Restaurant Table Booking System 1.0 allows r
8636	CVE-2025-27268	0.13%	32th	9.3	This SQL injection vulnerability in the Small Package Quotes – Worldwide Express Edition WordPress
8637	CVE-2025-26535	0.13%	32th	9.3	This SQL injection vulnerability in the Bitcoin/AltCoin Payment Gateway for WooCommerce plugin allow
8638	CVE-2025-1857	0.13%	32.1th	7.3	A critical SQL injection vulnerability exists in PHPGurukul Nipah Virus Testing Management System 1.
8639	CVE-2025-1843	0.13%	32th	6.3	This critical SQL injection vulnerability in Mini-Tmall allows remote attackers to execute arbitrary
8640	CVE-2025-1831	0.13%	32th	6.3	This critical SQL injection vulnerability in zj1983 zz software allows remote attackers to execute a
8641	CVE-2025-1821	0.13%	32th	6.3	This CVE describes a critical SQL injection vulnerability in the zj1983 zz software that allows atta
8642	CVE-2025-1820	0.13%	32th	6.3	This critical SQL injection vulnerability in zj1983 zz software allows remote attackers to execute a
8643	CVE-2024-41753	0.13%	32th	6.1	This cross-site scripting vulnerability in IBM Cloud Pak for Business Automation allows unauthentica
8644	CVE-2023-28909	0.13%	32.1th	8.0	This vulnerability allows remote attackers to execute arbitrary code on affected Volkswagen MIB3 inf
8645	CVE-2025-41420	0.13%	32.1th	9.6	A cross-site scripting vulnerability in WWBN AVideo's userLogin cancelUri parameter allows attackers
8646	CVE-2025-49746	0.13%	32.1th	9.9	CVE-2025-49746 is an improper authorization vulnerability in Azure Machine Learning that allows auth
8647	CVE-2025-48821	0.13%	32th	7.1	CVE-2025-48821 is a use-after-free vulnerability in Windows Universal Plug and Play (UPnP) Device Ho
8648	CVE-2024-37656	0.13%	32th	6.1	An open redirect vulnerability in gnuboard5 v5.5.16 allows attackers to redirect users to malicious
8649	CVE-2025-49387	0.13%	32th	10.0	This vulnerability allows attackers to upload arbitrary files, including web shells, to websites usi
8650	CVE-2025-50567	0.13%	32.1th	10.0	Saurus CMS Community Edition 4.7.1 contains a critical SQL injection vulnerability in the DB::prepar

← Previous Page 173 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free